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A Broadcast Approach To Secret Key Generation 
Over Slow Fading Channels 

Xiaojun Tang, Ruoheng Liu, Predrag Spasojevic and H. Vincent Poor 

Abstract 

A secret-key generation scheme based on a layered broadcasting strategy is introduced for slow-fading 
channels. In the model considered, Alice wants to share a key with Bob while keeping the key secret from 
Eve, who is a passive eavesdropper. Both Alice-Bob and Alice-Eve channels are assumed to undergo slow 
fading, and perfect channel state information (CSI) is assumed to be known only at the receivers during the 
transmission. In each fading slot, Alice broadcasts a continuum of coded layers and, hence, allows Bob to 
decode at the rate corresponding to the fading state (unknown to Alice). The index of a reliably decoded layer 
is sent back from Bob to Alice via a public and error-free channel and used to generate a common secret key. 
In this paper, the achievable secrecy key rate is first derived for a given power distribution over coded layers. 
The optimal power distribution is then characterized. It is shown that layered broadcast coding can increase 
the secrecy key rate significantly compared to single-level coding. 

Index Terms 

Secret-key agreement, wiretap channel, layered broadcast coding, superposition coding, feedback, interfer- 
ence, fading channel 

I. Introduction 

Wireless secrecy has attracted considerable research interest due to the concern that wireless communication 
is highly vulnerable to security attacks, particularly eavesdropping attacks. Much recent research was motivated 
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by Wyner's wire-tap channel model [Q], in which the transmission between two legitimate users (Alice and 
Bob) is eavesdropped upon by Eve via a degraded channel. In this model, to characterize the leakage of 
information to the eavesdropper, equivocation rate is used to denote the level of ignorance of the eavesdropper 
with respect to the confidential messages. Perfect secrecy requires that the equivocation rate is asymptotically 
equal to the message rate, and the maximal achievable rate with perfect secrecy is called the secrecy capacity. 
Wyner showed that secret communication is possible without a secret-key shared by legitimate users. Later, 
Csiszar and Korner generalized Wyner's model to consider general broadcast channels in |0. The Gaussian 
wire-tap channel was considered in [31 . Recent research has addressed the information-theoretic secrecy for 
multi-user channel models El-Si- We refer the reader to ||T0l for a recent survey of the research progress in 
this area. 

Interestingly, the wireless medium provides its own endowments that facilitate defending against eavesdrop- 
ping. One such endowment is fading ifTTl . The effect of fading on secret transmission has been studied in 
lfT2l - lfl4l . In these works, assuming that all communicating parties have perfect channel state information 
(CSI), the ergodic secrecy capacity has been derived. The scenario in which Alice has no CSI about Eve's 
channel (but knows the channel statistics) has also been studied in |[T2ll . The throughput of several secure 
hybrid automatic repeat request (ARQ) protocols has been analyzed in fT5l . In this work, Alice is not assumed 
to have prior CSI (except channel statistics), but can receive a 1-bit ARQ feedback per channel coherence 
interval from Bob reliably. 

Arguably, the most useful application of (keyless) secret message transmission is secret-key generation. For 
instance, a key can be sent from Alice to Bob as a secret message (which is selected by Alice in advance). 
More generally, as considered here, the key can be established after a communication session completes. This 
relaxation in the protocol can lead to a higher key rate. The secret-key generation problem in lfT6l and iTTTl 
assumes an interactive, authenticated public channel with unlimited capacity. In IfTTl , the "channel model with 
wiretapper" (CW) is similar to the wiretap channel model, while in the "source model with wiretapper" (SW), 
Alice and Bob exploit correlated source observations to generate the key. Both SW and CW models have been 
subsequently extended to multiple terminals |[T8l - ||20l and to non-authenticated public channels lf2T1 - l23"1 . 
Secret-key generation using both correlated sources and channels has been considered more recently in Il24l 
and Il25l . 

In this paper, we consider a key-generation problem in which Alice wants to share a key with Bob while 
keeping it secret from Eve. The Alice-Bob and Alice-Eve channels (forward channels) undergo slow fading, 
and CSI is known only at the receivers. Furthermore, we assume a public and error-free feedback channel. 
The key generation scheme under consideration consists of a communication and a key-generation phase. In 
the communication phase, via the forward channel, Alice sends to Bob coded sequences, which are observed 
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at Bob and Eve after independent distortions due to power attenuation and noise. Subsequently, Alice and 
Bob agree on the same secret-key in the key-generation phase. The problem setting resembles an SW model 
but differs in that the shared "correlated sources" are coded sequences (from a public codebook and distorted 
by the channel). We assume that the feedback channel from Bob to Alice is very limited. For each block 
transmission from Alice to Bob, Bob is required to send back one or more bits to Alice, where the one-bit 
feedback corresponds to an ARQ ACK/NACK scheme. An example application is where Alice sends a video 
clip to Bob, which is a non-secret transmission. Bob responds with a few bits and thus enables agreeing on a 
secret-key, which can then be used in key-based cryptographic protocols. 

The communication phase is based on layered broadcast coding, which effectively adapts the decoded rate 
at Bob to the actual channel state without requiring CSI to be available at Alice. The transmission takes place 
over several time slots. In each time slot, Alice transmits a continuum of layers. Depending on the realization 
of the channel state, Bob decodes a subset of layers reliably. The index of the highest reliably decoded layer at 
Bob is sent back to Alice, and used in the key-generation phase that follows Wyner's secrecy binning scheme 
All . For a given power distribution over coded layers, we derive the achievable secrecy key rate, which permits 
a simple interpretation as the average reward collected from all possible channel realizations. Furthermore, 
we characterize the optimal power distribution over coded layers to maximize the achievable secrecy key rate 
under the broadcast approach. 

Layered broadcast coding creates artificial noise so that the undecodable layers at Bob play the role of self- 
interference. We show that, by properly choosing the coding rate for each layer, it is ensured that Eve cannot 
benefit from the layered coding structure and is forced to treat the layers undecodable at Bob as interference. 
Secret communications with interference was studied in ||26l and |[27l in a more general (but non-fading) setting. 
Layered broadcast coding for a slow-fading single-input single-output (SISO) channel model was originally 
introduced by Shamai in |28l and discussed in greater details in [29). The results in this paper are consistent 
with |28l and |[29l when the additional secrecy key generation requirement phase is not considered. In a closely 
related work, a similar ARQ-based secret-key generation scheme employing single-level coding was studied in 
l30ll . This scheme can be viewed as a special case of the proposed layered-coding based scheme as all power 
is allocated to a single coded layer. We show that layered broadcast coding can increase the secrecy key rate 
significantly compared to single-level coding. 

The remainder of the paper is organized as follows. Section O describes the system model. Section [III] 
states the broadcast approach for key generation. Section [TV] gives the achievable secrecy rate for a given 
power distribution. Section |V] characterizes the optimal power distribution. A numerical example involving a 
Rayleigh fading channel is given in Section [VT] Conclusions are given in Section IVIII 
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Fig. 1. Alice and Bob want to agree on a key (K = K), while keeping the key secret from Eve (H(K\Y2, h.2, "*!?)/ n — > 0). 



II. System Model 

As depicted in Fig. [H we consider a three-terminal model, in which Alice and Bob want to share a secret 
key in the presence of Eve, who is a passive eavesdropper. That is, Eve is interested in stealing the key but 
does not attempt to interfere with the key generation processes. 

A. Channel Model 

The Alice-Bob and Alice-Eve channels (forward channels) undergo block fading, in which the channel gains 
are constant within a block while varying independently from block to block ifTTTl . We assume that each block 
is associated with a time slot of duration T and bandwidth B; that is, N = \ 2BT\ real symbols can be sent in 
each slot. We also assume that the number of channel uses within each slot (i.e., N) is large enough to allow 
for invoking random coding arguments. 

Let us assume that the transmissions in the forward channels take place over M time slots. In a time slot 
indexed by m G [1, . . . , M], Alice sends X m , which is a vector of N real symbols. Bob receives Y± m through 
the channel gain h\ m and Eve receives Y2 m through the channel gain hi m - A discrete time baseband-equivalent 
block-fading channel model can be expressed as 

(mX m + Zt m (1) 

for t = 1,2, where {Z tm } are sequences of independent and identically distributed (i.i.d.) circularly symmetric 
complex Gaussian M(0, 1) random variables. We denote by h\ m and fi2 m the states of the Alice-Bob and Alice- 
Eve channels, respectively, in time slot m. Without loss of generality, we drop the index m and denote random 
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channel realizations by h t . We assume that h t is a real random variable with a probability density function (PDF) 
ft and a cumulative distribution function (CDF) F t , for each t = 1, 2. We also let hi = [hx t i, . . . , /ii,m] and 
h2 = [h.2,1, ■ ■ ■ , ^2,m] denote the power gain vectors for the Alice-Bob and Alice-Eve channels, respectively. 
We assume that Bob and Eve know their own channel gains perfectly; Alice does not know the CSI before its 
transmission, except for the channel statistics. 

In addition, we assume a short term power constraint (excluding power variation across time slots) such that 
the average power of the signal X m per slot satisfies the constraint 



for all m = 1, ... , M. 

Finally, we assume that there exists an error-free feedback channel from Bob to Alice, through which Bob 
can feed back ty m for time slot m, where \I/ m is a deterministic function of Yi m and hi jm . The feedback 
channel is assumed to be public, and therefore \I> m is received by both Alice and Eve without any error. 

B. Secret Key Generation Protocol 

The secret key generation protocol consists of two phases: a communication phase and a key-generation 
phase. 

1 ) Communication Phase: We assume that the transmission during the communication phase takes place over 
M time slots. That is, Alice sends a sequence of signals X = (Xi, X2, . . . , Xm) to the channel. Accordingly, 
Bob receives from his channel a sequence of signals denoted by Yi = (Y11, Y12, . . . , ^i,m) and Eve receives 
Y2 = (Y2 1, Y2 2) • • • i Y2 Af) from her channel. We let n = MN denote the number of symbols sent by Alice 
in the communication phase. 

After the transmission, Bob uses the feedback channel to send \l/ = . . . , $m)> which is received by 
both Alice and Eve since the feedback channel is public and error-free. 

2) Key-Generation Phase: The communication phase is followed by a key-generation phase, in which both 
Alice and Bob generate the key based on the forward and backward signals. A general key-generation phase 
can be described as in the following. 

Let /C = {1, 2, . . . , 2 nRs }, where R s represents the secrecy key rate. Alice generates a secret key k E K, by 
using a decoding function K, i.e., 



i-£[||X m || 2 ]<P 



(2) 



k = K (X, *) . 



(3) 



Bob generates the secret key k G JC by using a decoding function K, i.e., 



k = K (YiM,*) = K(Y 1 ,h 1 ) 



(4) 



where the second equality holds since we assume that * is a deterministic function of Yi and hi. 
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The secrecy level at Eve is measured by the equivocation rate R e defined as the entropy rate of the key K 
conditioned upon the observations at Eve, i.e., 

R e ±-H(K\Y 2 M,*)- (5) 

n 

Definition 1. A secrecy key rate R s is achievable if the conditions 

Pr (K = k\ > 1 - e, (6) 
and R e > R s - e, (7) 
are satisfied for any e > as the number of channel uses n — >■ oo. 

III. A Layered Broadcast Approach To Key Generation 

In this section, we introduce a broadcast approach for secret-key generation, in which Gaussian layered 
broadcast coding is used for the communication phase, and random secrecy binning is used for the key 
generation phase. 

Before presenting the scheme, we briefly introduce Gaussian layered broadcast coding. Finite-level layered 
broadcast coding (superposition coding) was introduced by Cover in PT1 for general broadcast channels. In 
ll28l . Shamai studied a Gaussian fading channel with no CSI at the transmitter and considered the limiting case 
when there is a continuum of coded layers. In this section, we first take a look at a fading wiretap channel 
with a finite number of fading states, for which finite level layered broadcast coding is applicable. The channel 
will be used to derive the result for the limiting case of continuous fading, which is the focus of this paper. 

A. Finite-Level Layered Broadcast Coding for L-State Fading Channel 

Let us first consider a type of channel called "the L-state fading wiretap channel," in which there are L 
different fading states possibly observed on the Alice-Bob or Alice-Eve channel. 

Definition 2. In an L-state fading wiretap channel, at any time slot, the realization of the power gain of the 
Alice-Bob or Alice-Eve channel takes one value from {h^\ h} 2 \ . . . , h^} independently and randomly, and 
is characterized by probability function Pr{/ii = h\ ll \li2 = /J' 2 '}. Without loss of generality, we assume that 
{h^} are ordered in ascending order. 

Here, let us focus on the Alice-Bob channel. As shown in Fig. |2j in a layered broadcast coding scheme, 
the point-to-point fading channel is viewed as a broadcast channel with L virtual receivers each corresponding 
to a fading state. By applying the superposition coding in lUll . the encoding and decoding procedures can be 
described as follows. 
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Fig. 2. A point-to-point fading channel with L possible fading states is viewed as a broadcast channel with L virtual receivers each 
corresponding to a fading state. 



During the encoding, we assume that L layers are used. That is, the transmitted codeword is a superposition 
of L codewords, i.e., Yli=i where is a codeword from a Gaussian codebook w ith a ra t e r W anc 
a constant power pW, I = 1, . . . , L. For a given power allocation {pM }, the rate of the l-th layer is given by [* 



r ™=lo g (l + ^ V (8) 

and the total power satisfies ^f=i P H = -P- 

During the decoding, for a given fading realization h$, the receiver can successfully decode the first / 
layers by using the successive decoding strategy ||3TI . i.e., the codewords {XW,...,X"1} can be decoded 
reliably, while the codewords {X[ z+1 ], . . . , X^} are undecodable. More specifically, in the decoding process, 
the receiver first decodes XM by treating the remaining codewords ({XW,i > 1}) as interference. After 
decoding X^, the receiver will subtract X^ and then decode X^ by treating the remaining codewords 
({xW,i > 2}) as interference. This process repeats until the l-th layer X^ is decoded reliably by treating the 
remaining codewords ({XW,i > I}) as interference. As shown in d8j, Yli=i+iP^ ^ s tne tota l P ower of coded 
layers treated as inference during the decoding of the l-th layer. Note that this predetermined ordering can be 
achieved because of the degraded nature of Gaussian single-input single-output (SISO) channels. 

B. Layered Broadcast Coding for Gaussian Fading Channels 

In general, L depends on the cardinality of the random channel variable. For a Gaussian fading channel, 
a continuum of code layers (L — > oo) is required for achieving the best performance. When a continuum of 
layers is used, the transmitter sends an infinite number of layers of coded information. Each layer conveys a 
fractional rate, denoted by dR, whose value depends on the index of the layer. We refer to s, the realization 



'All logarithms are to the natural base, and thus rates are in terms of nats per second per Hertz. 



s 



of the fading power, as a continuous index. For a given transmit power distribution p(s) over coded layer s, 
p(s)ds is the transmit power used by layer s. Any layer indexed by u satisfying u > s is undecodable and 
functions as additional interference. The total power of undecodable layers (for a realization of fading power 
s) is denoted by I(s) and is expressed by 

= f°° P (u)du. (9) 



The incremental differential rate of layer s is given by 

*^(^)^^ 

where the second equality in (fTUT i is due to the fact that lim^o log(l + x) = x for any x > 0. The total power 
over all layers is constrained by 

POD 

1(0) = / P {u)du = P. (11) 
J o 

Given a realization of the fading power (or layer index) s, the decodable rate at the receiver is 

J l + ul{u) 

Hence, for a given CDF of the random fading power s denoted by F(s), the average decodable rate at the 
receiver is 

f°° T up(u)du 

R= / : Hy ' , dF(s). (13) 
J J 1 + ul{u) 

C. Secret-Key Generation Based on Layered Broadcast Coding 

In this section, we discuss key generation based on Gaussian layered broadcast coding. We outline the 
scheme for the continuous case when L — > oo, which is the focus of this paper. For an L-state fading wiretap 
channel when L is finite, the corresponding scheme is discussed in Appendix |A] 

1 ) Codebook Construction: We need two types of codebooks used for the communication and key-generation 
phases, respectively. 

The codebook used for the communication phase consists of a continuum of coded layers represented by 
{C^(2 NdR ^ s \ N)}, where N is the codeword length and dR(s) is the (incremental differential) rate at layer 
s. The (sub-)codebook for each layer is generated randomly and independently. That is, for any codebook 
C^(2 NdR ( s \N), we generate 2 NdR ^ codewords xW(tu), where w = 1,2, . . . ,2 NdR ( s \ by choosing the 
N2 NdR ^ Gaussian symbols (with power p(s)ds) independently at random. 

The codebook used for the key generation phase is based on Wyner's secrecy coding 0], frTZl . As shown 
in Fig. [3 we use 



o Jo 1 + sI (s) 
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to represent the average decodable rate at Bob. We first generate all binary sequences of length n(R — e), 
denoted by B, where n = MN. The sequences B are then randomly and uniformly grouped into K = 2 nRs 
bins each with n(R — R s — e) sequences, where R s is the achievable secrecy rate given later. We denote by 
v(k,j) the j-th codeword in the k-th bin, where 1 < k < K and 1 < j < J = 2 n( - R ~ Rs ~ e \ Each secret key 
k 6 {1, ... , K} is then randomly assigned to a bin, denoted by B{k) = {v(/c, j), j = 1, . . . , J}. 

2) Communication Phase: The communication takes places over M time slots. In time slot m € [1, . . . , M], 
Alice first randomly selects a message Wm G {1, ■ ■ ■ , 2 NdR ^} for coded layer s, independent of the message 
chosen for other layers. For convenience, we use W m to represent the total message sent in time slot m 
(through all layers), i.e., W m = x s W m . Then, Alice sends a superposition of all layers to the channel. 

Bob receives Y\ m and tries to decode all his decodable layers, which depends on his channel state h\ m . 
For convenience, we use Wm 1 ^ to denote the set of layers reliably decoded by Bob, and Wm 1 ^ to denote the 
set of layers undecodable to Bob in time slot mj^l After decoding, Bob sends back the index of the highest 
decodable layer to Alice via the feedback channel, so that both Alice and Bob get to know W m . This completes 
the transmission in time slot m. The communication phase ends when all M (independent) transmissions are 
completed. 

Note that the feedback of a layer index does not need to be completed right after each transmission in the 
forward channel. It is required only before the following key generation phase. Also note that the feedback of 
the index of a decodable layer is a special type of channel feedback. In particular, when considering the case 
when the number of fading states L — > oo, the index of the highest decodable layer in time slot m is equal to 
the fading power gain h\ m (i.e., the public feedback = h\ m ). For a finite level layered coding approach, 
the feedback of the layer index is an L-bit quantized version of the realization of the fading power gain. When 
L = 1, it is the ARQ feedback of ACK or NACK. 

3) Key-Generation Phase: Once the communication phase (including feedback) is completed, both Alice 
and Bob can generate the secret key. Based on the feedback sequence * = hi, Alice generates a binary 
sequence v from all the messages reliably decoded by Bob based on any deterministic one-to-one mapping g 
as 

v = g(wW), (15) 

where = ( w[ Vl] , wf A , . . . , wf l] ) represents the set of messages successfully decoded by Bob across 

all layers and time slots. 

2 To be more accurate, T>\ in Wm 1 ^ should be indexed by m, however, we choose to use T>i to simplify our notation. Throughout 
the paper, Wm 1 ^ is shorthand for Wm lm ^- If the subscript of W is a set, then T>\ is also indexed by the set. For example, for a set of 
time slots AA + C {1, . . . , M }, we use W l j^l ] instead of W^l M+ to represent all the messages decoded by Bob in M + . The rule 
is also applied to T>2, U\ and Ui. In addition, it is applied to codeword X and codebook C besides message W. 
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Fig. 3. Alice and Bob generate a sequence v from all the messages reliably decoded (across L layers and M time slots), look up in 
the key-generation codebook for a k such that v € B(k), and output k as the key. 



Alice then looks up in the key-generation codebook for a k such that v G B(k), and outputs k as the secret 
key generated. Note that all those messages are decoded by Bob, and Bob can generate the same sequence v 
and the same key k as Alice does. This completes the key generation. 

IV. Secrecy Key Rate 

In this section, we present the secrecy key rate achieved by the broadcast approach and compare it to that 
achieved by using a single-level coding approach. For both approaches, we assume that the number of time 
slots used in the transmission over the forward channel is sufficiently large (i.e., M — > oo), so that we can 
obtain an ergodic key rate. 

A. Layered-Broadcast-Coding Based Key Generation 

The following result characterizes the secrecy rate when a power distribution p(s) is given. 

Theorem 1. For a given power distribution p(s) over coded layers indexed by s, the secrecy key rate achieved 
by the layered-broadcast-coding based key generation scheme is 

poo rhi 

R s = / A(h 1 ,h 2 )dF 2 (h 2 )dF 1 (h 1 ), (16) 
Jo Jo 

where A(hi,h 2 ) is given by 

hi r s P (s) h 2P { s ) 



A(/ti,/t 2 ) 
and 



1 1 2 



1 + sJ(s) 1 + h 2 I(s) 



ds (17) 



p{u)du with 1(0) = P. (18) 
Proof: The proof can be found in Appendix |A] ■ 
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Now we discuss some insights from Theorem Q] First, R s can be written as 



Rs — ^hi,h 

where 



A(h u h 2 ) 



A(h 1 ,h 2 )\, (19) 

A(h 1 ,h 2 ) if hx > h 2 
otherwise. 



The key rate R s is the average of rewards (designated by A(h\,h 2 )) collected from all possible channel 
realizations. Positive rewards are obtained from the time slots in which Bob's channel is better than Eve's 
channel (h\ > h 2 ). On the other hand, when h\ < h 2 , the reward is zero. 

We can see that except for the rare case in which hi is always smaller than h 2 , R s is positive. 

Now we focus on a particular time slot m in which h\> h 2 , and use X m to denote all layers sent in the 
slot. [^| As depicted in Fig. HI X m can be divided as 

x m = xffi u ( xf?J n x^O u x^i , (21) 



where X^ 1 ' and denote the sets of decodable and undecodable layers at Bob, respectively, and X^ 2 ' 

and X„' denote the sets of decodable and undecodable layers at Eve, respectively. Note that Xm D X^ 2 ' 
since h\ > h 2 . 

Both Alice and Bob can decode X^ 2 ', and neither of them can decode X^ 1 '. Therefore, a nonzero reward 
A(/ii, h 2 ) comes from the set of layers X^ 1 ' n X^ 2 '. To show this, we rewrite <HT7\ as 

A, h, i+w<>) 

The first term on the right hand side of (l22l is the sum-rate decoded by Bob from Xm ^ n X„ 2 ' (by decoding 
and canceling X^ 2 ' first, and treating the interference term X^ 1 ' as noise). Furthermore, the second term can 
be written as 

<*> h 2P ( s )ds lQg / | hal/M-W ] (23) 



h2 l + h 2 I(s) & V l + h 2 I(h 1 ) 

By noticing that /(/12) — i s ^e total power used for the layers X„'' flXm', and I{h\) is the total power 
used for the layers X^ l] , © gives the rate of information that Eve can possibly deduce from X™ 1 ' n X™' 
through her channel with power gain h 2 . 

An interesting finding here is that what the best Eve can do is to treat the interference term X„' as noise 
(as Bob does) with the total noise power 1 + h 2 I{h\), and therefore cannot benefit from the structure of 
interference either. Due to the absence of CSI at the transmitter during the transmission in the forward channel 

3 X m represents the set of L layers in time slot m, and also the signal transmitted by Alice in time slot m, which is the superposition 
of all layers. 




Fig. 4. (a) Coded layers sent by Alice, (b) decodable and undecodable layers for Bob, and (c) decodable and undecodable layers for 
Eve, in time slot m with the channel gains hj > h 2 . 



, the layered broadcast coding strategy creates a medium with interference, in which the undecodable layers 
play the role of self-interference. We remark that this is a special case of secret communication over a medium 
with interference as discussed in E71 . 



B. Single-Level-Coding Based Key Generation 

When single-level coding is used, self-interference does not occur. Alice uses a codebook with a single coding 
rate in the forward transmission. Bob uses ARQ feedback to tell Alice whether the decoding is successful or 
has failed. In this case, the following secrecy key rate can be achieved. 

Lemma 1. If30l Theorem 1] The secrecy key rate of a single-level-coding based scheme is given by 

4 1] = Pr \R [l] < log(l + fciP)l E h2 [r [1] - log (1 + h 2 P)] + , (24) 
where i?W is the coding rate of the single-level codebook. 

This key rate still has the interpretation of the average of rewards (designated by Ai(h\, hi)) collected 
from all possible channel realizations. That is, can be written as 



4 1 ! =E huh2 lA^huhz) 



(25) 



13 



where 

/ ^ " ^ + ^ if ftl ^ """^ > ^ 
Ai(fti,ft 2 ) = < (26) 

otherwise. 

C. Comparisons and Discussions 

The advantage of the layered-broadcast-coding (LBC) based approach over the single-level-coding based 
approach (SLC) can be readily observed by comparing the reward functions given by (l2Qb and (l26l ). First, in 
LBC, a positive reward is obtained from the set of channel pairs V = {(hi, h 2 ) : hi > h 2 }; while in SLC, it 
is obtained from the channel set V = {(hi, h 2 ) : hi > -p(e RW — 1) > h 2 }. It is obvious that V D V', which 
means there are more time slots that contribute to the secrecy key generation for LBC than for SLC. Second, 
the coding rate for SLC has to be carefully chosen in order to balance between obtaining a larger value 
of reward in a time slot (by increasing i?M) and making more time slots contribute to the key generation (by 
decreasing i?M); while in LBC, the reward is gained in each time slot adaptively based on the random channel 
realizations. Finally and importantly, in SLC, Eve can deduce the information at the rate of log(l + h 2 P) 
with a channel gain h 2 . This is the loss of rate in order to keep the key secret from Eve. In LBC, however, 
Eve deduces less information as given by (|23l ) due to the interference power (the total power of undecodable 
layers). The self-interference plays an important role for decreasing Eve's capability of eavesdropping. 

Hence, although the single-level-coding based approach has lower decoding complexity, and requires less 
feedback (only 1-bit per time slot), it is sub-optimal in general (when feedback of multiple bits is allowed). By 
all means, the single-level coding scheme can be considered as a special case of a layered-broadcast-coding 
based scheme, in which all power is allocated to a single layer. It serves as a baseline scheme and further 
motivates us to find the best power distribution for optimizing the layered-broadcast-coding scheme. 

V. Optimal Power Distribution 

In this section, we derive the optimal distribution of power over coded layers for our broadcast approach. 
The secrecy rate given by ([Tol l is hard to evaluate and optimize due to the three-dimensional integrals. After 
some steps of derivations, we have an alternative form given as follows: 

Lemma 2. The secrecy key rate given by (TToT i is equivalent to 

rx F 2 (y)dy 



poo 

R s = max / [1 — Fi(x)] p(x) 
I&) Jo 

with the constraint 1(0) = P, and p(x) = —dl(x)/dx. 
Proof: The proof can be found in Appendix |E] 



Uo 



[l + yl(x)f 



dx, (27) 
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A. Optimal Interference Distribution 

In certain cases, optimization of R s with respect to the power distribution p(x), or equivalently, the inter- 
ference distribution I(x), under the power constraint P can be found by using the calculus of variations. First, 
we define the functional of (1271 ) as 

L(x,I(x),l\x)) = -[l- Fl (x)]l'(x) jjT [if^p • 

A necessary condition for a maximum of the integral of L(x,I(x),I'(x)) over a; is a zero variation of the 
functional. By solving the associated Eiiler-Lagrangian equation [32j given as 



dL d (dL\ 

ln-TAar) =9 < (28) 

we have the following characterization for the optimal I(x). 

Theorem 2. A necessary condition for optimizing I{x) in order to maximize the secrecy rate given by (ITTl 
is to choose I(x) to satisfy 

F 2 (y)dy _ [l-F 1 (x)]F 2 (x) (29) 



/o [i + yi(x)} 2 hWli + xiix)] 2 ' 

where I(x) = when x < xo or x > x\. Here, xq and x\ can be found by setting I(xq) = P and I(x\) = 
in 

Proof: The proof can be found in Appendix |F] ■ 

In general, numerical computation is needed for solving (129T ) in order to obtain the optimal interference 
distribution I(x). For some special CDFs F 2 (x), an analytical form of I{x) is possible if the integral in (1291 ) 
can be evaluated in a closed form. 

In the following, we consider two of such special cases: 

1 ) Non-Fading Alice-Eve Channel: If the Alice-Eve channel is constant with channel power gain x* , the 

CDF F 2 (x) is F 2 {x) = fi(x — x*), where p{x) represents a unit step function. In this case, the optimal 

interference distribution is given by 

T( v l-F 1 (x)-(x-x*)f 1 (x) 
{ ' x(x-x*)f 1 (x)-x*[l-F 1 (x)Y K ' 

which can be easily shown from (|29l ). 

2 ) Non-Secret Layered Transmission: If key-generation is not considered and it is desired to find the optimal 
I(x) to maximize the average reliably decodable rate at Bob in the non-secret layered transmission, this can 
be done by assuming x* = in (l30l ). In this case, we have 

, w = iz£W_I, (31) 

x ji[x) X 



which is consistent with the result given in II291 . 
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B. Secrecy Key Rate With Optimal Power Distribution 

Finally, we have the following secrecy key rate under the optimal power distribution. 

Corollary 1. When the optimal power distribution is used, the following secrecy key rate is achieved: 



l-F l {x)] 2 F 2 {x)dI{x) 



Rs L h{x)[l + xI( X )f ' (32) 
where I(x) and {xq,x\) are found from the condition given by Theorem |2] 

Proof: The proof is straightforward by combining Lemma |2]and Theorem [2] ■ 

VI. A Rayleigh Fading Channel 

In this section, we assume Rayleigh fading for both Alive-Bob and Alice-Eve channels. The fading gains 
ht are exponentially distributed with means A t for t = 1, 2. That is, the PDFs of the fading gain ht are 

f fexpf-f) ifs>0, 
ft(s) = { Xt V XtJ (33) 
otherwise, 

for t = 1, 2 and the CDFs are 



1 - exp -■ f if s > 0, 
F t (s)={ V V " (34) 

otherwise. 

A. Single-Level-Coding Approach 

For comparison, we first calculate the secrecy key rate when single-level coding is used. As shown in 
Appendix |Gl the secrecy rate is 



( e RW 1 \ f I 

= max exp --^A R [1] — exp 



X2P / V A 2 P 



(35) 



where Ei{x) = f^°[ex.p(— t)/t]dt is the exponential integral function. It can be verified that the above function 
is concave with respect to R^ and thus has a unique maximum, which can be searched numerically. 

B. Layered-Coding Approach 

According to (l32l ). the secrecy rate with layered coding under the optimal power control is computed 
numerically by evaluating 

f Xl exp(-a/Ai) [exp(-x/A 2 ) - 1] 

Rs=Xi L wTxiw dI ^ 

where the optimal interference distribution I{x) and boundary points xq and x\ can be found according to 
Lemma [2] as follows. 

Interference Distribution I{x) 
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As shown in Appendix El we have 

F2{y)dy exp(-x/A 2 ) 



1 , exp(l/A 2 /(x)) 



A 2 / 2 (x) 



Ei 



1 



A 2 /(x) 



/o [l + y/(x)] 2 /(x)[l + x/(x)] 
We also have 

[l-Fi(x)]F 2 (x) Ai [1 - exp(-x/A 2 ) 



Ei 



1 + xl(x) 
A 2 /(x) 



[l + x/(s)]' 



[1 + x/(x)]' 



Therefore, we can show after some steps of arrangements that I(x) is found by solving 



Ei 



1 



A 2 I(x) 



1 + x/(x) 



(36) 



(37) 



(38) 



A 2 /(x)[l + Ai/(x)] 



exp 



1 



A 2 /(x) 



exp 



1 + xl(x) 
A 2 I(x) 



[l + x/(x)] 2 
Boundary Points x$ and x\ 

We needs to find the boundary points xq and x\ to meet the constraints that 

I(x ) = P and J(xi) = 0. 

By letting /(xq) = P in (I38T ). we can solve the equation for xq. However, x\ cannot be solved by this means 
since we cannot let I{x\) = in (I38T ). Instead, we let I(x\) = in (|29l ) and find that 



and 



/ F 2 (y)dy = x\ + A 2 [exp(-xi/A 2 ) - 1] , 
J o 

[l-ifi(xi)]F 2 (ari) 



/i(xi) 

Therefore, x\ can be found by solving the following equation 



Ai [1 - exp(-xi/A 2 )] 



x\ + (Ai + As 



exp 



■I 1 



0. 



Interestingly, x\ depends only on the channel statistics (characterized by Ai and A 2 for the Rayleigh fading 
channels) and not on the power constraint P. Note that no power will be allocated to a layer with its index 
higher than x\ (however, it is possible that some layers lower than x\ still have zero power allocation, as 
shown in the numerical example). Finally, we remark that every equation discussed in this section has a unique 
solution after excluding a trivial solution 0. 



C. Numerical Examples 

Now we show some numerical examples on the achievable secrecy-key rates and the optimal power distri- 
bution p{s). We consider the symmetric Rayleigh fading channel defined by (l33l ) with Ai = A 2 = 1. 

Fig. [5] compares the secrecy key rates achieved by the layered-coding and single-level-coding based schemes 
(both optimized). We also compare them with the secrecy rate when perfect and noncausal CSI of the Alice- 
Bob channel is available to Alice. In this case, Alice is able to adapt its transmission rate based on the CSI at 
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-5 5 10 15 20 25 30 35 40 

Average Power (in dB) 

Fig. 5. Secrecy key rates achievable for the layered-coding-based approach, the single-level-coding-based approach, and when perfect 
CSIT is available at Alice noncausually. 

each time slot. We still assume a short-term power constraint and thus Alice does not adapt power in contrast 
to the scheme given by |[T2l . Without CSI at Alice, the secrecy key rate achieved by the layered-coding based 
scheme is significantly higher. This shows the benefit of the broadcast approach due to the introduction of 
self-interference in transmission. 

Fig. [6] shows the optimal power distribution over coded layers. A trend is that more power is distributed to 
lower layers as the total transmit power P becomes larger. In general, the optimal power distribution does not 
concentrate much on a certain layer (or a small set of layers), especially when P is large. We also compare the 
optimal power distribution for maximizing the secrecy key rate in key-generation and that for maximizing the 
average reliably decodable rate at Bob in non-secret transmission. With different power constraints, the power 
distributions for non-secret transmission are on the same curve but have different boundary points, which is 
different from the case for key generation. Also, when the total transmit power exceeds a certain threshold, 
the power distribution for key generation is more concentrated over higher layers (as shown for the cases of 
P = 5 and P = 20); while the opposite can be observed when P is small (as shown for the case of P = 1 in 
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0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 1.1 

layer index 

Fig. 6. Optimal power distributions for maximizing the secrecy key rate in key-generation ("key-gen") and for maximizing the average 
reliably decodable rate at Bob in non-secret transmission ("non- secret") when the normalized transmit power is P = 1, 5, 20. 

Fig. E) 

VII. Conclusions 

In this paper, we have introduced a broadcast approach for secret-key generation over slow-fading channels 
based on layered broadcast coding. We have considered a model in which Alice attempts to share a key with Bob 
while keeping the key secret from Eve. Both Alice-Bob and Alice-Eve channels are assumed to undergo slow 
fading, and perfect CSI is assumed to be known only at the receivers during the transmission. Layered coding 
facilitates adapting the reliably decoded rate at Bob to the actual channel state without CSI available at Alice. 
The index of a reliably decoded layer is sent back to Alice via an authenticated, public and error-free channel, 
which is exploited by Alice and Bob to generate the secret key. We have derived the achievable secrecy key rate 
and characterized the optimal power distribution over coded layers. Our theoretical and numerical results have 
shown that the broadcast approach outperforms the single-level-coding based approach significantly, which 
establishes the important role of introducing self-interference in facilitating secret-key generation over slow- 
fading channels when transmit CSI is not available. 
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Appendix A 
Proof of Theorem Q] 

Let us first consider the L-state fading wiretap channel defined by Definition [2] We have the following result. 

Lemma A.l. For the L-state fading wiretap channel defined by Definition [U the following key-rate is 
achievable: 

r s = e E Pr = hM >h = h[h] ) E 

ti k<h l=k+l 

where we assume that {/J 1 ! < < ■ ■ ■ < h^} and is given by 



- log 1 H - T 



(39) 



rW=logfl + V (40) 

Proof: We relegate the proof of Lemma A. 1 to Appendix |B] ■ 
It is easy to observe that the result given by Theorem [T]is a continuous version of Lemma A.l (as L — > oo), 
and can be shown by following some standard steps in a straightforward manner. We omit these steps and next 
prove Lemma A.l only. 

Appendix B 
Proof of Lemma A. 1 

A. Secret-Key Generation For The L-State Fading Wiretap Channel 

The key-generation scheme for the L-state fading wiretap channel is similar to the scheme outlined in Section 
IIII-CI The encoding and decoding in the communication phase have been discussed in Section llll-BI To proceed 
with the key generation phase, we will use the following notation (some of which has been explained previously 
but is repeated here for ease of reference). 

Let W m = Wm' L ^ represent the set of messages sent by Alice at the m-th time slot and represents the 



message sent at the l-th layer. At Bob, the reliably decoded message set at the m-th time slot is denoted by 
wj? 1 ^ and the undecodable message set is denoted by Wm 1 ^. At Eve, similarly, the reliably decoded message 
set is denoted by Wm 2 ^ and the undecodable message set is Wm 2 \ We use W = (Wi, W2, ■ ■ ■ , Wm) to 
represent the set of messages sent over all M time slots. Similarly, = (w[ , w\ , • • • , W 7 !^'') an d 

WW = (Wf t] , Wj" t] , . . . , Wfj t] ) are defined for t = 1, 2. 

We use X m = to represent the set of codewords sent in the m-th time slot, xj^ 1 ' and xJ™ 

(for t = 1,2) to represent the sets of reliably decoded, and undecodable layers, respectively. Furthermore, 
X = ( Xl ,X 2 , . . ,X V ), XP>d = (xf*UP t] ,- • • ,X^ ] ) and X^ = (Xf'Uf 1 ,- • • ,X^ ] ) are the set, 
reliably decoded set, and undecodable set of codewords, respectively, over all M time slots. In addition, 
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Yi = (Y Xi i, Yi )2 , • • • , Yi,Af) and Y 2 = (Y 2 ,i, Y 2j2 , • • • , Y 2 ,m) are the signals observed by Bob and Eve, 
respectively, over all M time slots. 

In the key generation phase, two parameters of the key generation codebook are R and R s . For the L-state 
fading wiretap channel, R s is given by (|39l ) and R is given by 



where is given by (f40l> . 



R = J2^(hi = h®) (x^Y ( 41 ) 

1=1 \i=l / 



B. Genie-Leaked Information 

In the communication phase, we assume that the message conveyed by each layer is chosen independently 
of those at all other layers and uniformly at random. That is, at time slot m, the message sent by the 
l-th layer, is randomly and uniformly selected from {1,2,..., 2 NrU] }. One can always assume that the random 
message is generated through a two-step procedure: first, two messages W m and Wm are selected randomly 
and independently, where W m ] G {1, . . . , 2?*% } and W m ] € {1, . . . , 2 ml ^}, where r$ = rW - f & Then, 
message Wm = Wm X Wm is formed. 

Note that this procedure is assumed only for facilitating the proof and is not actually required for encoding. 
In fact, fm can be any value as long as < fS < r^. For example, we can assume the following value for 

?[{] _ f if 1 < I < l lm (i.e., I € V lm ), 

\ min {r W , log (l + 1+fta pM ) } otherwise, 

where Zi m is the feedback layer index (i.e., the highest index of the decodable layers at Bob) in time slot 
m. Again, the feedback and channel information are not needed during the transmission since the two-step 
procedure is not actually executed. 

Following the partitioning of messages, we have Wm 1 ^ = Wm 1 ^, Wm^ = 0, and Wm 1 ^ = wf'' x tf. 
Hence, W m is decomposed as W m = wjn l] x W^ l] x W^ l] . By letting = (W^ l] , W^ l] , . . . , wfj l] ) 

and = (w[ Ul] , W^ l] , . . . , W"|/ l] ), we have W = x x W^l correspondingly. 

We assume that there is a genie who gives the message set W^ 1 ! to Eve. This is a useful step to enable us 
to give a bound on the equivocation rate with respect to the key K at Eve. 

One might wonder if this genie-leaked information benefits Eve and eventually reduces the achievable key 
rate. In Fig. |7J we illustrate that the genie-leaked information does not benefit Eve. Here, let us consider a 
special L-state fading wiretap channel for which L = 3 and the support of both Alice-Bob and Alice-Eve 
channel gains is {hfi,hP\hft}. It is easy to see that wj^ l] ^ if and only if h\ m = /i [2] and h 2m = for 
a time slot m. Therefore, we can focus on such a time slot. We have V\ m = {1, 2}, U\ m = {3}, P 2m = {1}, 
and U 2m = {2, 3}. 



log 



1+ 



hmP 




\og(l + h 2m p^) f 



[3] 



Fig. 7. An illustrative example to show that the genie-leaked information does not benefit Eve. 



xjl' is decoded and subtracted by both Alice and Bob from their received signals. Therefore, we consider 

[21 [31 [21 [21 

only Xm and X™ , where X™ contributes to the key generation and Eve tries to deduce information on X|„! , 
while X| n plays the role of interference. Fig. [7] shows the rate of information that Eve can deduce on X„ t 
versus the rate of interference codebook. (The rate region resembles that of a multiple access channel. Some 
related discussion can be found in ll27l .) 

Eve uses the genie-leaked information to reduce the rate of interference codebook. To achieve this, Eve uses 
Wjh ] to obtain a thinned codebook C^(W$). That is, among all the codewords in the original codebook 
i.e. only the ones corresponding to Wm are kept and the rest are eliminated. However, if the side information 
is given properly, Eve does not benefit from the genie. As shown in Fig. |7J the side information does not help 
Eve's eavesdropping if 

rf < - log (l + h 2mP W) . 

Under this condition, the pair of coding rates of and C^(Wm ) is represented by any point on the line 
segment from A to B. A reward of 

is collected from time slot m in contributing to the key generation. 
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C. Equivocation Calculation 

Now, we are ready to compute the equivocation rate with respect to the key K at Eve: 

H(K\Y 2 ,*M) 

>H(K\Y 2 ^MM,V* [Ul] ) (43) 

= if(K|Y 2 ,W^,hi,h 2 ) (44) 

= H(K, Y 2 , X|W [Wl] , hi, h 2 ) - iT(Y 2 |W [Wl] ,hi, h 2 ) - £T(X|Y 2 , K, W^, hi, h 2 ) 

> iT(X|Y 2 ,W[ Ml Ui,h 2 )-i?(X|Y 2 ,iT,W^,hi,h 2 ), (45) 

where (|43l is from the property that conditioning reduces entropy, (1441 is due to the fact that * is a deterministic 
function of hi and Y 2 . 

As shown in Appendix [C] and |Dj the two terms in d45l ) can be bounded as in the following, 

i7(X|Y 2 ,W [Wl] ,hi,h 2 ) > n(R s -5 NM ), (46) 

and 

#(X|Y 2 ,#,W[ Wl ],hi,h 2 ) < n5' N>M , (47) 

where <5jv,Af , S' N M — > when N, M — > oo. 
By combining (1431) . (l46l ) and (1471 . we have 

n« e = #(if|Y 2 ,*,h 2 ) >n(i? s -5), (48) 

which gives the perfect secrecy requirement that is 

R e > R s — 5, 

where 5 — > as n — > oo (actually N,M — > oo). Hence, we complete the proof. 

Appendix C 
Proof of d46l) 

First, let us denote 

E x ^iJ(X|Y 2 ,Wt Wl ],hi,h 2 ). 
Due to independent coding at each time slot during forward transmission, we have 
Ex = H(X, Y 2 , W^l , hi, h 2 ) - H(Y 2 ,W^ , h u h 2 ) 

M M 

l2m 



Wj^ l] ,h lm ,h 2rn ) - H(Y 2m ,W^ l] ,h lm ,h 2 

m=l m=l 

M 

i^(x m |Y 2m , W^,h lm ,h 2m 

m=l 
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Furthermore, we have 

El > E H(X. m \Y 2rn , W^\h lm Mm) (49) 
= H(X m \W^\h lm ,h 2m ) + H(Y 2m \X m ,W^ 

= H(X m \W^) + H(Y 2m \X m ,h 2m )-H(Y 2m \Wt\h lm ,h 2m ) (50) 

rn£M+ 

> H(X m \W^) + H(Y 2m \X m ,h 2m )-H(Y 2m \h 2m ) (51) 

|/i 2m ) (52) 



meM+ 

> E ^( x - 

where M + = {m\m 6 {1, . . . , M}, h\ m > h 2m } is the set of time slots in which Alice-Bob channel is better 
than Alice-Eve channel), d49l follows from the property that entropy is non-negative, (l50l follows from the 
property that Wm ^ m Y 2m forms a Markov chain, and (1511 follows from the property that conditioning 
reduces entropy. 

To bound (l52l further, we have 



E rM + E M 1 +7-.4-1, ^ 



h 2m p [l] 



N 



i=\ i = i lm+ \ 



E r [l] + log 1 + h 2m E 



V] 



(53) 



(54) 



.1=1 \ i=i lm +i 

where Z lm denotes the index of the highest decodable layer at Bob in time slot m, and d53l follows from (02). 

We also have 

|^2m) 

= ^ f-^m 2 ' J Xm 2 ' i ^2™. | h 2m 

= I (X^l; Y 2m |/ l2m ) +/ (XM; Y 2m |X^U 2m 
< (X^l ) + / (X^l ; Y 2m |X^1 , h 2m ) 

<N E r W + log f 1 + h 2m E P W ) + *i > ( 55 ) 

j=i V «=z 3m +i / 

where /2m denotes the index of the highest decodable layer at Eve in time slot m, and 5\ — >■ as iV — > 00. 
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Combining ([521), d54j), and ([53]), we have 

h 

El > N \ y: 



e ^-■ogii + 1 ';7 E | 3 r + ' pl " w ) 

^ r W _ log + 

,Z=«2+1 V 

h 

rW - log f 1 + 



Nj2J2#{ hi = h[ll] ' h2 = hih 

h l 2 <h 



Si 



h [h]p[l] 



= NY J Y.*( h ^ = h[ll] ^ = hM )\ E 

where # (/i! = h)- ll \h 2 = h^) denotes the number of time slots (out of M slots) that hi = hl ll i and h 2 = hM. 
When M — > oo, we have 



= n(i? s - 5 2 ), 
where 5 2 — > when iV — > oo and M — >■ oo. 



«=i a +i 



-W - log 1 



+ 



h [h)p[l) 



i + ^ 2] Ef=z + iP [i 



(56) 



First, we denote 



Appendix D 
Proof of (1471) 

£ 2 ^(XlYs^W^.h^ha). 



To give a bound on E 2 , we consider Eve's decoding of X, i.e., the codewords sent over all L layers and 
M time slots, by assuming that Eve observes Y 2 and h.2, and is given (by a genie) the side information K, 
and hi. Note that X = XP 1 ^ U X^, where Xl Wl l plays the role of interference and is not used in 
the key generation. To bound E 2 , however, we need Eve to decode the interference given the genie-aided side 
information. 

Given hi and h.2, Eve is able to partition X as 



X = X^vj+ U X 



(57) 



where M + = {m\m = 1, . . . , M, and h lm > h 2m }, M~ = {1, . . . , M}/M + , X. M+ = {X m |m G M + }, 
and Xjk- = {X m |m € M~}. We consider the decoding of X^+ and ~K_m- separately as in the following 
subsections. 
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A. Decoding o/X^- 

We note that X^- can be partitioned as 

X^^X^UX^!. (58) 

Based on and side information Wm 1 ^, Eve performs the decoding of X^- for each time slot m A4 + 

independently. The decoding is performed in two steps: 

YD 1 YD 1 

1) Decoding ofKy^l: For each m G M.~, Eve decodes ~K m 2 (decodable layers for Eve) directly based 

on Y2 m without using side information. 

2) Decoding o/X^l: After subtracting X„ 2 ' decoded previously, Eve attempts the decoding of X^ 2 ' 
using the side information Wm • More specifically, considering the decoding of xJl for layer I G U 2m , we 
use Wm, which is available since we have U 2m C U lm and therefore W m ] G W%t l] . We denote by C®(W$) 
the thinned codebook corresponding to the genie-informed message Wm ■ The size ofCW(W^)is 2^™, where 



r 



l ' is given by (l42l ). Eve attempts to decode xS using C^(W"m) after subtracting the layers lower than I, 



in 



denoted by ^. For any typical sequences x{J| and Y2 m , it can be shown that 



lo s I 1 + : — : — ^ir 



l + h 2 mE l= l + lP b 



Hence, Eve is able to decode X„ with an arbitrarily small error probability when N — > oo. By performing 
decoding for all I G U 2m successively, Eve decodes Xm' . 

B. Decoding of 

We note that X^+ can be partitioned as 

V _ VPJ I I /vPJ n vW \ I I Y [Wl] /^QX 

a,v! + - a_ m+ u (^x^ n a m+ j u a_ m+ , py) 

and Eve performs the decoding of X^+ through the following three steps: 

\D ] YD 1 

1 ) Decoding of X^ 2 / : Eve decodes X^ 2 / directly based on Y2 without using side information. 

2) Decoding of X 1 ^ 1 } nxjjj: Eve decodes X^ 1 ] n xjjjj jointly based on a list decoding argument, which 
is explained in details as in the following. A similar argument based on list decoding was given in lfT2l . 

Definition 3. Sequence X m is the concatenation of the codewords sent from the group of communication 



codebooks C^ m ^ (i.e. X m 
M. + is called a super-sequence, denoted by X 



-"•m 5 • • • j -^m 



). The concatenation of sequences X m for all m G 



The length of sequence X m is N(li m —l 2 m), and the length of super-sequence X is therefore N J2 m &M+ Olm - 
hm)- Therefore, the length of a super-sequence depends on the channel realizations of hi and I12 for a finite 
M. However, as M — > 00, it can be seen that the length does not depend on the channel realizations. 
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(a) 




(b) 



Fig. 8. Two lists of super-sequences: (a) list C{K) constructed based on genie-provided K, (b) list T constructed based on 
joint-typicality. 



As shown in Fig. [H Eve generates two lists of such super-sequences C and T based on genie-provided 
secret key K and joint-typicality, respectively. 

First, given a secret key K, Eve narrows down to bin B(K) in the key generation codebook. Since the 
mapping function g is deterministic (one-to-one) and encoding in the communication phase is also deterministic, 
Eve is able to generate C{K), a list of super-sequences each of which corresponds to a codeword in bin B(K). 
Hence, the size of C(K) is \\C(K)\\ = 2 nR >. 

For each m <E M + and any possible sequence X m , we define 

{1 if (Xm inW2 ', Y2 m ) are jointly typical when X„ 2 ' are decoded and substraced from Y2 m . 
otherwise. 
Eve constructs a list C m such that 

T m = {Xj 7 (X m , Y 2m ) = 1} . (60) 

That is, T m consists of the sequences such that the corresponding codewords coming from codebooks cf DlmnW2ra l 

YD 1 

are jointly typical with Y2 m given that X. m has already been decoded and canceled. Finally, Eve constructs 
a list T by concatenating sequences in T m for all m € M. + . 

Suppose that X is the super-sequence corresponding to the transmitted codewords X^+ n x|^ 2 j. Given 
the two lists C{K) and T, Eve attempts to find X. Eve declares that X were sent, if X is the only common 
super-sequence in both C(K) and T. She declares an error if there is no super-sequence or more than one 
super-sequences in C{K) n T. Hence, there are two error events correspondingly, 
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£i : X C(K) n T, 

£ 2 : there exists X/X, and X € £(#) n T. 
The Asymptotic Equipartition Property (AEP) implies that Pr(£i) < e\, where e\ — > as n — > oo. Pr(£ 2 ) is 
bounded as the follows: 

Pr (£ 2 ) <El Pr (X G C(K) 

IxeT.x^x 

< E{||£||2- n ^} , (61) 

where ||£|| represents the size of the list £, and (|6Tb follows from the uniform distribution of super-sequences 
in C{K). 

To proceed, we need to give a bound on \\C\\. We denote the size of C m to be ||£ m ||. For any m 6 M. + , 
\\Cm\\ can be bounded as the follows: 



|£ m ||=E|^ 7 (X m ,Y 2m ; 

<1+ E{ 7 (X m ,Y 2m )}, 
x m ^x m 



< 1 + 2 



N 



log 1+ 



h 2m E 17 



+ <'2 



< 2 



+e 3 



where £2, £3 — s> as N — >■ 00. The size of £ is then bounded as 



II n £ - 



rt !] — log 1+ 



h 2m P 1 ' 



l + h2 m Ef =l + 1 P 1,1 



)H 



l^ll ~~ 



As M — > 00, by following steps similar as those for deriving (1561 1. we have 

||£|| < 2 n(fl s - £4 ) ) 

Now we can combine (loTT ) and (l62l to obtain that 

Pr(£ 2 ) < 2^ -> 0, 

as n — > 00. Hence, the average error probability for decoding X^+ n X^ 2 { is bounded by 



(62) 



(63) 



Pr(£i U £ 2 ) < Pr(£i) + Pr(£ 2 ) -> 0, 

as n — >• 00. Thus, Eve is able to find the right super-sequence X with a vanishing error probability. Since X 
and the group of codewords xj^+ n x|^ 2 j are related by a one-to-one mapping, we conclude that Eve is able 
to decode Xj^+ n x|^ 2 j with a vanishing error probability. 
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3 ) Decoding of xj^j : Eve subtracts xj^j 2 ] and Xj^+ n x|^ 2 { from Y2 based on the two previous decoding 
procedures, and tries to decode Xm' using the thinned codebooks (W^ 1 '). The decoding procedure is 
similar to that discussed in subsection A.2. 

Finally, we conclude that Eve is able to decode X given Y2, the genie-informed (secret-key) information 
K, and the side information W^. Hence, Fano's inequality implies that 

E 2 = F(X|Y 2 ,W,W[ Wl ],hi,h 2 ) < n5 n -»■ 0, (64) 

as n — > 00. We thus complete the proof of ( |47l ). 



Appendix E 
Proof of Lemma [2] 



We can rewrite the secrecy key rate R s as 



where 



R, = T 1 -T 2 



poo rhi 


' f hl sp(s)ds ' 


Jo Jo 


[J h2 l + sl(s)\ 



d[l-F 2 (h 2 )]d[l-F 1 (h 1 ] 



and 



00 rhi 
JO 



T xi {h x ) 

hl h 2 p(s)ds 
h2 l + h 2 I{s)_ 



d[l-F 2 (h 2 )\ dil-FM]. 



T 2i (.h 1 ) 



A. Evaluation of T\ 

The under-braced term Tu {h\ ) can be evaluated by integrating by part. We have 



hl sp{s)ds 
h2 1 + sl(s 



[1-F 2 (h 2 )\ 



hi 



sp{s)ds f hl 



■'o 

i+,/( S ) + r [i - F2(s)] T + si( S ) 

kl F 2 (s) Sp{s)dS 
2{S) l + sI(s) 



[1-F 2 (h 2 )]d 
sp(s)ds 



up(u)du 
h 2 l + ul{u)_ 



By another integrating by part, we obtain 



Ti= I T li (h 1 )d[l-F 1 (h 1 )} 



Ti^iMl-iMMIo " / [l-Fi(hi)]d[Tu(hi)] 

Jo 

[l-F 1 (h 1 )]d[T li (h 1 )} 



(65) 



(66) 



(67) 



(68) 



(69) 
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B. Evaluation of T 2 

The under-braced term T 2 i(h\) can be rewritten as 

" hl h 2 p{s)ds 



T 2i (h 



Uh 



[1 - F 2 (h 2 )] 



in 



1 + h 2 I{s) 

r fhi h 2P {s)ds 



111 



111 



Notice that 



and therefore 



d 

dh 2 ij h 

Hence, T 2i {hi) can be written as 

T 2i (h) -- 
Furthermore, we have 

^-T 2l (h) = -[1-F 2 (h)] 



/•fti rni 

/ [l-F 2 (s)]d / - 

JO Uh 2 1 

hl h 2 p{s)ds 
2 l + h 2 I(s) 

hl h 2 p(s)ds 



l + h 2 I(s) 



in 



[l-F 2 (h 2 )] 



[1-F 2 (h 2 )]d 

Jo 

+ h 2 I(s)_ ' 

log (1 + h 2 I{h 2 )) - log (1 + h 2 I{hi)) , 

I(h 2 ) - h 2 p(h 2 ) 1(h) 
l + h 2 I{h 2 ) l + h 2 I(h)' 

I (hg) ~ h 2 p(h 2 ) 1(h) 
l + h 2 I(h 2 ) l + h 2 I(hi) 



h 2 p(s)ds 
1 + h 2 I(s) 



dh 2 . 



1(h) -hp(h) 
l + hl(h) 



d 
dh\ 



r rhi 



[1 - F 2 (h 2 )] 



I(h 



1 + h 2 I(h 



-dho 



(70) 



(71) 



To proceed, we need to interchange the operation of differentiation with respect to h with the operation of 
integration over h 2 , where the integral domain is also a function of hi. We use the property that for any real 
differentiable function p(x,y), we can write 



d_ 

dx 



In particular, we have 

-\l 

dh [Jq 



in 



[1 - F 2 (h 2 )\ 



p(x,y)dy =p(x,x) + 
1 + h 2 I(h x 



x dp(x, y) 
dx 



dy. 



(72) 



-dh 







I(h 



dh 



[i-F 2 (h)\ 



I(h 



+ 



p(h\ 



l-F 2 (h) 
l + h x I(h) 



1 + 



hi 



l + hl(h) 1(h) 
where we have used integrating by part to get to the last equality. 
Putting d73l into (TTTb . we have 

At (h ) f Mp^) , KM f hl h(h 2 )dh 2 

dh 2l( 11 " 1(h) 1(h) Jo l + h 2 I(h)' 



f 2 (h 2 )dh 2 
l + h 2 I(h 



(73) 



(74) 
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Now, we can evaluate T 2 by 



T 2i (h 1 )d[l-F 1 (h 1 )\ 

POD 

/ [l-F 1 (h 1 )]dT 2i (h 1 ) 
Jo 

[l-F 1 (h 1 )]F 2 (h 1 )p(h 1 ) 



[l-Fxih^pihx] 



In 



f 2 (h 2 )dh 2 
o l + h 2 I{h 1 ) 



/o I{hi) Jo I{hi) 

C. Evaluation of R s =T\ — T 2 

Using d69l and (|75T ). and replacing the variable h\ and h 2 with x and y, respectively, we have 



[1-F 1 (x)]p(x) 



I(x) 

00 

[l-i^(a:)]p(x) 





h(y)dy F 2 {x) 
J l+yl(x) l + xl(x)_ 
F 2 {y)dy 



Uo [l + yI(x)Y 



which is d2Tb . 



(75) 



(76) 



Appendix F 
Proof of Lemma [2] 

The functional of (|27T ) is defined by 

L (x, I(x),l'(x)) = — [1 — F\(x)] l'(x) 

A necessary condition for a maximum of the integral of L(x,I(x),I'(x)) over x is a zero variation of the 
functional. For characterizing the optimal I(x), the Euler-Lagrangian equation [32 j gives a necessary condition 
denoted by 



F 2 {y)dy 
[l + yl(x)]2 



dL d ( 8L\ 



for which we have, 



dL 
~dl 
dL 

a 77 

d_dL 



81 dxKdl'J °' 



2[i-f iW1 /'(x) r 

Jo [l + yJ(x)] d 
T F 2 (y)rfy 



= AW 



F 2 {y)dy 



with 



[l + y/(:r)] 2 
F 2 (y)dy F 2 (x 



d f x 



2/'(xl 



F 2 (y)dy 
+ yl(x)] 2 ' 

x yF 2 (y)dy 



dx J [1 + yI{x)Y [1 + xl( x )} 2 - "~ ' J Q [1 + yl(x)] 

Using d2U>, @, and dSB in (72), we have 

F 2 (y)rfy _ [l-F!(g)]F 2 (x) 
[l + y/(x)] 2 [l + xl{x)) 2 h{x) 

Hence, we proved Lemma [2] 
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(77) 

(78) 
(79) 
(80) 

(81) 
(82) 
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Appendix G 
Proof of d35 



According to Lemma [T] the secrecy rate is 

= Pr \r [1] < log(l + hiP) 



E 



1 1 2 



R [1] - log (1 + h 2 P) 



Pr {hx > hi} / - log (1 + h 2 P) f2(h 2 )dh 2 

Jo 1 J 

R^F 2 (hl) - log(l + h 2 P)f 2 (h 2 )dh 2 
Jo 



K 



where h\ = [exp(i?M) — l] /P. By using integrating by part for the integral in (l83l . we have 

rftl [i _ exp (-h 2 /\ 2 )\ P 



cxp 



Ai 

By letting t = (1 + h 2 P)/(\ 2 P), we have 



l + /i 2 P 
( K ^v{-h 2 /\ 2 )P 
Jo 



l + h 2 P 



dh 2 
dh 2 



RW = exp ( 



exp 



A 2 P 



^ exp(— t) 



dt 



\ 2 p 



By using h* = [exp(i?[ 1 ]) - l] /P, we can obtain (l35l) . 



A 2 P 



(83) 



Appendix H 
Proof of (1361) 



We can write 

F 2 (y)dy 



o [l + yl(x) 



x 1 -exp(-y/A 2 ) 

o — «y 

o [l + y/(x)] 2 



r/y 



x exp (-y/A 2 ) dy 
o [l + y/(x)] 2 7o [l + y/(^)] 2 ' 



T, 



r 4 



and evaluate T3 and T4 separately. First, we have 

T3 = 

To evaluate T4, we have 

T 4 = -/ ex P(~^)/ 



1 + xl(x) 



I(x) 
1 exp(-y/A 2 ) 



J(x) 1 + y/(x) 



l+y/(x) 



exp(-y/A 2 )dy 



A 2 I(x) y 1 + y/(x) 



1 



1 



exp (-x/X 2 ) 
1 + 



A 2 / 2 (x) 



exp(-y/A 2 ) 
1 + y/(z) 



d[l + yl(x) 



(84) 



(85) 



(86) 
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By letting 1 + yl(x) = t, we have 

m exp(l/A 2 /(x)) f 1+xI W eX p (-t/X 2 I(x)) 



t/X 2 I(x) 



\ 2 I(x) 



1 



A 2 / 2 (x) 
1 

xJHx) 



exp 



cxp 



1 



X 2 I(x) 
1 



\ 2 I(x) 

( 1 



l+z/(x) 



1 + x/(x) 
A 2 /(x) 



(87) 



Combining ([85i (1861 ), d87T ) and (|84l) . we can obtain d36l 



References 

[1] A. D. Wyner, "The wire-tap channel," fie// Syst. Tech. J., vol. 54, no. 8, pp. 1355-1387, Oct. 1975. 

[2] I. Csiszar and J. Korner, "Broadcast channels with confidential messages," IEEE Trans. Inf. Theory, vol. 24, no. 3, pp. 339-348, 
May 1978. 

[3] S. K. Leung- Yan-Cheong and M. Hellman, "The Gaussian wire-tap channel," IEEE Trans. Inf. Theory, vol. 24, no. 4, pp. 451-456, 
July 1978. 

[4] Y. Liang and H. V. Poor, "Multiple access channels with confidential messages," IEEE Trans. Inf. Theory, vol. 54, no. 3, pp. 
976-1002, Mar. 2008. 

[5] R. Liu, I. Marie, R. D. Yates, and P. Spasojevic, "The discrete memoryless multiple access channel with confidential messages," 

in Proc. IEEE Int. Symp. Information Theory, Seattle, WA, July 2006, pp. 957-961. 
[6] L. Lai and H. El Gamal, "The relay-eavesdropper channel: Cooperation for secrecy," IEEE Trans. Inf. Theory, vol. 54, no. 9, pp. 

4005-4019, Sep. 2008. 

[7] E. Tekin and A. Yener, "The general Gaussian multiple-access and two-way wire-tap channels: Achievable rates and cooperative 

jamming," IEEE Trans. Inf. Theory, vol. 54, no. 6, pp. 2735-2751, Jun. 2008. 
[8] R. Liu, I. Marie, P. Spasojevic, and R. Yates, "Discrete memoryless interference and broadcast channels with confidential messages: 

Secrecy capacity regions," IEEE Trans. Inf. Theory, vol. 54, no. 6, pp. 2493-2507, Jun. 2008. 
[9] Y. Liang, A. Somekh-Baruch, H. V. Poor, S. Shamai (Shitz), and S. Verdu, "Capacity of cognitive interference channels with and 
without secrecy," IEEE Trans. Inf. Theory, vol. 55, no. 2, pp. 604-619, Feb. 2009. 
[10] Y. Liang, H. V. Poor, and S. Shamai (Shitz), "Information theoretic security," Foundations and Trends in Communications and 

Information Theory, vol. 5, no. 4-5, pp. 355-580, 2008. 
[11] E. Biglieri, J. Proakis, and S. Shamai (Shitz), "Fading channels: information-theoretic and communications aspects," IEEE Trans. 

Inf. Theory, vol. 44, pp. 1895-1911, Oct. 1998. 
[12] P. Gopala, L. Lai, and H. El Gamal, "On the secrecy capacity of fading channels," IEEE Trans. Inf. Theory, vol. 54, no. 10, pp. 
4687-4698, Oct. 2008. 

[13] Y. Liang, H. V. Poor, and S. Shamai (Shitz), "Secure communication over fading channels," IEEE Trans. Inf. Theory, vol. 54, 
no. 6, pp. 2470-2492, Jun. 2008. 

[14] Z. Li, R. Yates, and W. Trappe, "Secrecy capacity of indepedent parallel channels," in Proc. Allerton Conference on Commun. 

Contr. Computing, Monticello, IL, USA, Sept. 2006. 
[15] X. Tang, R. Liu, P. Spasojevic, and H. V. Poor, "On the throughput of secure hybrid-ARQ protocols for Gaussian block-fading 

channels," IEEE Trans, on Inf. Theory, vol. 55, no. 4, pp. 1575-1591, Apr. 2009. 
[16] U. Maurer, "Secret key agreement by public discussion from common information," IEEE Trans. Inf. Theory, vol. 39, no. 3, pp. 

733-742, 1993. 



33 



[17] R. Ahlswede and I. Csiszar, "Common randomness in information theory and cryptography part I: Secret sharing," IEEE Trans. 

Inf. Theory, vol. 39, no. 4, pp. 1121-1132, July 1993. 
[18] I. Csiszar and P. Narayan, "Common randomness and secret key generation with a helper," IEEE Trans, on Inf. Theory, vol. 46, 

no. 2, pp. 344-366, Feb. 2000. 

[19] , "Secrecy capacities for multiple terminals," IEEE Trans, on Inf. Theory, vol. 50, no. 12, pp. 3047-3061, Dec. 2004. 

[20] , "Secrecy capacities for multiterminal channel models," IEEE Trans, on Inf. Theory, vol. 54, no. 6, p. 24372452, Jun. 2008. 

[21] U. Maurer and S. Wolf, "Secret-key agreement over unauthenticated public channels - part I: Definitions and a completeness 

result," IEEE Trans, on Inf. Theory, vol. 49, no. 4, pp. 822-831, Apr. 2003. 
[22] , "Secret-key agreement over unauthenticated public channels - part II: The simulatability condition," IEEE Trans, on Inf. 

Theory, vol. 49, no. 4, pp. 832-838, Apr. 2003. 
[23] , "Secret-key agreement over unauthenticated public channels - part III: Privacy amplification," IEEE Trans, on Inf. Theory, 

vol. 49, no. 4, pp. 839-851, Apr. 2003. 
[24] A. Khisti, S. N. Diggavi, and G. W. Wornell, "Secret key generation using correlated sources and noisy channels," in Proc. IEEE 

Int. Symp. Inf. Thoery, Toronto, Canada, Jul. 2008, pp. 1005-1009. 
[25] V. Prabhakaran, K. Eswaran, and K. Ramchandran, "Secrecy via sources and channels: A secret key - secret message rate tradeoff 

region," in Proc. IEEE Int. Symp. Inf. Thoery, Toronto, Canada, Jul. 2008, pp. 1010-1014. 
[26] X. Tang, R. Liu, P. Spasojevic, and H. V. Poor, "The Gaussian wiretap channel with a helping interferer," in Proc. IEEE Int. 

Symp. Information Theory, Toronto, Canada, Jul. 2008 2008. 
[27] , "Interference assisted secret communication," IEEE Trans, on Inf. Theory, to appear. 

[28] S. Shamai (Shitz), "A broadcast strategy for the Gaussian slowly fading channel," in Proc. IEEE Int. Symp. Inf. Thoery, Ulm, 
Germany, Jun. 29 - Jul. 4 1997. 

[29] S. Shamai (Shitz) and A. Steiner, "A broadcast approach for a single-user slowly fading MIMO channel," IEEE Trans, on Inf. 

Theory, vol. 49, no. 10, pp. 2617-2635, Oct. 2003. 
[30] M. Abdel Latif, A. Sultan, and H. El Gamal, "ARQ based secret key sharing," in Proc. IEEE Int. Conf. on Cornmun. (ICC), 

Dresden, Germany, June 14-18 2009. 
[31] T. Cover, "Broadcast channels," IEEE Trans. Inf. Theory, vol. 18, no. 1, pp. 2-14, Jan. 1972. 
[32] I. Gelfand and S. Fomin, Calculus of Variations. Englewood Cliffs, NJ: Prentice-Hall, 1963. 



